frameworks_av - frameworks/av

diff options

author	Kevin Rocard <krocard@google.com>	2017-11-13 11:15:27 -0800
committer	Ivan Kutepov <its.kutepov@gmail.com>	2018-02-08 02:41:00 +0300
commit	d43b790fe4e45c0a0ab598e169672af0904dc0d3 (patch)
tree	895ee3976fd1c9d09b3ed1bbf3a34fcf7f3692cc /media/libstagefright/include/SoftVideoEncoderOMXComponent.h
parent	19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c (diff)
download	frameworks_av-d43b790fe4e45c0a0ab598e169672af0904dc0d3.tar.gz frameworks_av-d43b790fe4e45c0a0ab598e169672af0904dc0d3.tar.bz2 frameworks_av-d43b790fe4e45c0a0ab598e169672af0904dc0d3.zip

IAudioPolicyService: Add attribute tags sanitization

When audio_attributes_t was read from the binder parcel, the string tags field was copied without checking that it contained a '\0'. This could lead to read past the end when tags were used. This patch always adds a '\0' at the end of the buffer when deserializing. Bug: 68953950 Test: manual playback/record Test: send binder payload without \0 in tags attribute, check that only AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1 char are printed. Change-Id: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934 Merged-In: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934 Signed-off-by: Kevin Rocard <krocard@google.com> (cherry picked from commit 39fdbd097a147b5c719dac9ad2759e6c44eb3a4e) CVE-2017-13232

Diffstat (limited to 'media/libstagefright/include/SoftVideoEncoderOMXComponent.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: